A cyber spy ring targeting government and business
computers containing sensitive information in over 100 countries
grabbed the headlines this week, but the latest attacks are nothing
new or unusual, say investigators.
UK businesses are still shocked when they discover they have
been infiltrated by cyber-espionage operations, but experts warn
that this sort of infiltration happens all the time.
The headline-grabbing spy operation, dubbed Ghostnet, is
detailed in a report published this week by Canada's Information
Warfare Monitor (IWM) research group. The report should be a
wake-up call to all organisations that underestimate the
threat.
"Regardless of who or what is ultimately in control of GhostNet,
it is the capabilities of exploitation, and the strategic
intelligence that can be harvested from it, which matters most,"
IWM says.
The reality is that most organisations are susceptible to having
commercially sensitive information stolen, says Ian McGurk,
associate director for information security at consultancy Control
Risks.
Jonathan Evans, the MI5 director general, warned UK businesses
of the threat of state-sponsored cyber attacks in 2007, but most
organisations do not take the warning seriously, he says.
| How to mitigate the threat of
cyber spies |
|---|
- Make users aware that threats exist
- Educate users about risky behaviour
- Limit user privileges to job roles
- Do not give open machines admin rights
- Audit and log network activity
- Identify and protect high-value information
- Do not rely on signature-based anti-virus software
- Use behaviour-based malware
detection
|
Daily
attacks
"We are seeing these cases on a daily basis. The
[cyber-espionage] operations are real, they are well organised, and
they are targeting data in organisations that continue to rely on
outdated technology for protection," says Yuval Ben-Itzhak, chief
technology officer at security firm Finjan.
According to Ben-Itzhak, signature-based malware detection
systems are useless against the types of trojans cyber spies are
using that are unknown to the security community and have no
registered signature.
Businesses have no defences against social malware attacks like
those used by the GhostNet operators. Well-designed e-mail lures
combined with malware are devastatingly effective, says Ross
Anderson, a professor at Cambridge University.
"If your business has sensitive information that might be a
target of capable motivated opponents, then your current
information security will probably not be good enough in the
future," he says.
IT departments should tackle the problem by beefing up system
security and staff awareness around the organisation's most
important information, says McGurk.
"Cyber-espionage is highly targeted, so protection should be
greatest around information that has the highest value to
outsiders," he says.
Enhance your
protection
Organisations should identify high-value assets and information,
and concentrate on putting enhanced protection around these and
associated processes.
Information relating to mergers and acquisitions or anything
else likely to affect share prices, and about new products such as
designs and planned launches, are prime targets.
"Anyone working with this type of information should be made
aware of the threat of cyber espionage and how they could be
targeted by social engineering attacks," says McGurk.
In the face of unknown trojans that may go undetected for
months, McGurk advocates a layered defence strategy, including
auditing and logging systems to track all network activities.
"If you have the right defences and levels of awareness and
training in place, you can make it difficult to the point where
cyber spies give up," he says.
| Chinese connection |
|---|
GhostNet has been linked with locations in China, raising
suspicions of state-sponsored espionage. Chinese hackers are thought to target western networks
continually, and are known to have attacked UK government
department computers in 2007. But researchers say it is wrong to attribute all Chinese malware
with deliberate information gathering by the state, and Chinese
authorities have denied any involvement. The operation infiltrated over 1,000 computers using spyware
installed invisibly as users clicked on attachments or links in
well-crafted or hijacked e-mails. |
Useful
links: